Troubling times for password manager LastPass users. The company announced back in August 2022 they had been hacked which was downplayed by the company as a “compromised developer account, through which part of LastPass’s source code and proprietary technical info were taken.” Worse of all they had advised users not to change their master passwords’.
Now the company has experienced a second related hack, this time impacting customers. As reported Wednesday on its blog, LastPass recently detected unusual activity within a third-party cloud storage service. An investigation has so far revealed that the breach stemmed from knowledge gained during the August 2022 incident, and that “certain elements of customers’ information” have been accessed. Further information is unavailable, as the investigation is still ongoing. LastPass says that customer passwords remain safely encrypted, however.
This is very disturbing as LastPass claims they had “taken steps to isolate and mitigate the issue, as well as hired an outside cybersecurity and forensic team, with the investigation still ongoing.” Further, what are these “certain elements of customers’ information”? Name, Physical/Email Addresses, phone numbers, credit card/payment information? I am not buying their assurance “customer passwords remain safely encrypted”. I really hope that in another few months we don’t find out the hackers were able to reversed engineer LastPass systems and de-encrypt customer passwords (and sell them on the dark web).
It situations such as this why 2-Factor Authentication (2FA) exists. As much as many users dislike the extra friction with 2FA it is going to protect your accounts from hackers accessing them with stolen credentials. It doesn’t matter who long or complex your password is if it is stolen then sold on a list.
via PC World
